GDPR/The Canadian Privacy Act and Ok Alone

From the 18th of May 2018 all countries in the European Union had to abide by the new General Data Protection Regulation (GDPR). This was approved by the European Parliament and Council and replaced the Data Protection Directive 95/46/ec.  These regulations apply to everyone from small businesses to large enterprises handling personal data within the EU. GDPR also applies to anyone outside the EU who handles personal data of an EU resident. 

Personal Data

What data do we hold?

In Ok Alone there are two kinds of users of the system. Workers, the people in the field whose safety is being monitored, use the app. Monitors, the people responsible for taking action on any alerts generated by Workers, use the browser based Dashboard, typically on a PC or Smartphone. The unique identifier of the Worker is an Ok Alone generated PIN. 

Whilst it is best practice to use the worker’s name, it is not a requirement. Anonymised data like ID numbers, building names or team names can be used. Monitors need an email to login.  That email does not need to be a work email or an email containing their name, although again, this is normal practice. For those who want alerts, an email and/or phone/cell number are necessary.

If scheduling is required, shift information is needed too.  All other data is generated from within the Ok Alone system.  In short, little if any client data is required to set-up Ok Alone, but most clients provide a name, email and phone number(s).

For what purpose do we hold the data?

Data, including location data, is stored so that any alerts related to worker safety can be resolved and reviewed. Data is also stored so there is a full audit trail of all actions carried out in the system.

How long do we hold the data?​

There are 4 key aspects to data storage. First, the data relating to the workers and monitors. This is held whilst the account is open, but the addition and deletion of this data is controlled by you (the Company). Second, the location data of the workers is held for 30 days in the live database.  Third, the transactional data about workers activity (i.e. start/end shifts, check-ins, help alerts, messages sent). This data is held for 1 year in the live database. Fourth, back-ups are taken regularly and held in storage outside of the main system. This data is held for extended periods of time due to legal requirements (i.e. The Occupational Health and Safety Regulation or the OHS provisions of the Workers Compensation Act.)

Union Wide Uniformity

The reason for the GDPR is to make sure there are uniform data security laws across all EU members. This means countries no longer have to write their own laws and ensures all laws are the same across the union. To read the full document click this link https://gdpr-info.eu/

The regulations were brought in to protect people’s personal data when they are online. The GDPR covers data collected about someone that could be used to identify them, this could include:

  • Names
  • Social Media Posts
  • Email Addresses
  • IP Addresses
  • Photos
  • Personal Medical Information
  • Phone Numbers
  • Date of Birth
  • Bank Details
  • Passport Number

Any data that could be used to identify an individual, either a single piece, like a name, or many small pieces that add up to identify an individual need to be safeguarded.

GDPR Principles

There are seven principles of GDPR which are laid out in Article 5: ¹

  • Lawfulness, Fairness and Transparency
  • Purpose Limitation
  • Data Minimisation
  • Accuracy
  • Storage Limitation
  • Integrity And Confidentiality (Security)
  • Accountability 

The only principle that was not included in previous regulations is ‘accountability’. This means companies need to prove they are compliant with the regulations, are documenting how their data is protected and that only people who need access to information can access it.

Brexit Impact

As the UK left the European Union, it introduced the UK GDPR to work alongside the Data Protection Act 2018 (DPA). The UK GDPR maintains the data protection standards of the GDPR and the same extraterritorial scope. Therefore, companies based outside the EEA who process UK resident’s data for the purposes of providing goods or services will have to comply with the standards set out in the UK GDPR. Any necessary decisions on the GDPR previously decided by the European Commission, will be transferred to the Secretary of State and/or the Information Commissioner. ²

GDPR/The Canadian Privacy Act and Ok Alone

Peoplesafe Personal Safety Ltd, a Canadian Controlled Private Company which delivers the Ok Alone service and who is the data processor, has written its privacy policy to comply with the GDPR in the EU and UK and the Canadian Privacy Act.  In particular, Ok Alone uses personal data for the legitimate interest of providing its services, which is in line with GDPR, Article 5, point B ‘Personal data shall be: collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’); ³

You may review the full privacy policy here – https://www.okaloneworker.com/work-alone-monitoring-privacy

The Data flow process and Data Storage

The servers used by Ok Alone are located in Canada and are subject to PIPEDA (Personal Information Protection and Electronic Documents Act). This ensures all data received from customers is kept securely.

Data Sharing

Ok Alone does not share any data or information with other companies. In addition to the primary purposes, we are also legally obliged to share certain data with other public bodies and will do so where the law requires this; we will also generally comply with requests for specific information from other regulatory and law enforcement bodies where this is necessary and proportionate.

Data Access Information

Ok Alone takes data privacy very seriously, making sure internal access to customer’s personal data is on a need to know basis.  All users with access to personal data have individual logins and standard industry security practices are maintained.

Ok Alone customers also have a great deal of control over which people internally see personal data.  There are three levels of user access rights for the Monitors, each of which grants different access to personal data. Workers do not have access personal data. All interaction between Workers and the system occurs through an encrypted connection with the app. Combined, this ensures people’s data stays private.

User Rights

Each person has the right to request deletion, updating, correction, or the full record of their data.  To enable this, each Admin Monitor can add, edit, update and delete Worker’s personal information in the system.  In the event that there is a particular element of data the Monitor cannot edit, update or delete, they can also email us at [email protected] to request data is removed from our systems.

Subprocessors

GDPR requires processors to inform clients of any subprocessors they may have contact with. Here is a list of all subprocessors that Ok Alone is engaged with.

  • Amazon Web Services
  • Azure – Microsoft Corporation
  • Twilio
  • AgileCRM
  • Google LLC
  • Catalyst2
  • Linode
  • Bambora
  • PayPal
  • PieSockets
  • MapBox

1 – https://gdpr-info.eu/art-5-gdpr/

2- Item 2.14 https://www.legislation.gov.uk/uksi/2019/419/pdfs/uksiem_20190419_en.pdf

3 – https://gdpr-info.eu/art-5-gdpr/